Field Guide

Encrypting Healthcare and Research Records

A practical look at how teams can use VellumGuard to add post-quantum application-layer encryption to patient-adjacent and research data — without rebuilding existing systems from scratch.

Beta caveat. VellumGuard is not currently HIPAA compliant. No Business Associate Agreement (BAA) is currently available. Do not process real PHI through VellumGuard without a separate written data-handling agreement. Use test or synthetic data during beta integration.

The problem

Healthcare and research teams typically store sensitive data in databases and APIs behind access controls. Those controls matter. But they protect the storage layer, not the data itself. Application-layer encryption adds a second line: even if database access is compromised, ciphertext without the right keys is unreadable.

The second problem is time. Clinical records, genomic data, and longitudinal research results stay sensitive for decades. The cryptographic assumptions behind RSA and ECC — which most software uses today — may not hold against a sufficiently capable quantum computer. NIST finalized post-quantum cryptography standards in 2024 specifically because this risk is real enough to plan around now.

"Harvest now, decrypt later" is the specific threat: adversaries can collect encrypted records today and decrypt them when better hardware arrives. For data that needs to stay confidential through 2035 and beyond, the encryption applied today determines the protection you have then.

Example workflow

A health-tech team builds an integration layer for a clinical notes product. Patient notes and intake forms are encrypted at the application layer before storage. Each clinical provider gets a workspace with isolated key material. Audit events record every encryption and decryption operation. When a provider offboards, their workspace key is rotated and old identity keys are rewrapped.

The database contains only ciphertext. A breach of the database or its cloud storage yields unreadable data — an attacker would also need the private key material, which is managed separately in the VellumGuard KMS backed by Google Cloud KMS.

Where VellumGuard fits

  • Encrypting application payloads — patient notes, intake forms, clinical summaries — before storage
  • Workspace isolation: each provider or research team gets separate key material
  • Identity-scoped authorization: individual users have individual encryption identities
  • Full key rotation lifecycle — generate, promote, rewrap, retire — with audit records preserved
  • Security events for every key operation, queryable and durable
  • NIST-standardized hybrid post-quantum crypto: X25519 + ML-KEM-768, Ed25519 + ML-DSA-65

What teams can test in beta

  • TypeScript SDK integration with synthetic or test patient data
  • Workspace-per-provider key isolation and access scoping
  • The complete key rotation lifecycle: promote, rewrap, retire
  • Reviewing the audit event log for compliance documentation purposes
  • Comparing hybrid post-quantum encryption performance against current implementations
  • Walking through what a PHI breach scenario looks like when data is encrypted at the application layer

What VellumGuard does not replace

VellumGuard handles one specific thing: application-layer encryption and key management. It is not a HIPAA compliance program. It does not replace:

  • Infrastructure-layer access controls (IAM, network policies, storage ACLs)
  • Audit logging at the network or database layer
  • HIPAA-required administrative, physical, and technical safeguards
  • Staff security and privacy training
  • Incident response planning and breach notification procedures
  • Business Associate Agreements with downstream processors
  • Any other component of a healthcare compliance program

VellumGuard may strengthen application-layer data protection as one component of a broader security program. It does not certify or satisfy HIPAA requirements on its own.

Request design partner access

If you are building a healthcare or research application and want to test post-quantum encryption in a controlled beta environment, apply for design partner access. Beta is free unless otherwise agreed in writing. No charges without a written agreement before general availability.

Apply for access →

Questions? Email beta@vellumguard.com or browse other field guides.